[xsl] RE: Re: Saxon Servlet

Subject: [xsl] RE: Re: Saxon Servlet
From: owner-xsl-list@xxxxxxxxxxxxxxxxxxxxxx (by way of B. Tommie Usdin)
Date: Fri, 2 Mar 2001 09:30:29 -0500
Date: Thu, 1 Mar 2001 21:38:33 -0800 (PST)
From: Dimitre Novatchev <dnovatchev@xxxxxxxxx>
Subject: RE: Re: Saxon Servlet
To: mhkay@xxxxxxxxxxxx
Cc: xsl-list@xxxxxxxxxxxxxxxxxxxxxx
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii

Michael Kay wrote:

> I am having a very simple problem (even though I do not know > how to solve > it :)) with the SaxonServlet provided with the src code > samples. Basically, > I want to pass both my XML source and XSL source as URL's > which are located on a different machine.

 There are security reasons why this isn't allowed, someone running a web
 site doesn't want users to be able to run an arbitrary stylesheet, possibly
 containing calls on extension functions, on that server.

But this does not mean that the idea is useless or that it cannot be implemented.

You could have a big collection of different XSLT processors on the server
and give anyone anywhere the ability to have their xml docs remotely transformed
with their xslt stylesheets.

The users don't need to have any xslt processor installed on their client computer,
nor will they have any problems in upgrading to the latest versions.

One could create and post for processing from any computer -- even when on vacation,
from an Internet Cafe or while at a conference...

In fact there's an implementation -- the Remote XML Workbench allows clients
to post two string parameters, one -- the text of an xml document,
the other -- the text of a stylesheet.

The user can select between MSXML and Saxon 5.4

On the server the stylesheet is applied to the xml document
and the result string is returned to the client.

It is true that there are serious security issues. They are dealt with
by pre-scanning the provided stylesheet with a security checking stylesheet.

Since last August there hasn't been a single security violation.
The only problem is that MSXML can crash under deep recursive
processing -- I'm really impatient to have this finally fixed in MSXML.

Dimitre Novatchev.

Do You Yahoo!?
Get email at your own domain with Yahoo! Mail.

XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list

Current Thread